Authorization endpoint bypasses CORS middleware


This post was flagged by the community and is temporarily hidden.


Yes, you can set origin in your client to allow certain origins for certain clients. The API docs should have more info on that.


Ah, I now see it inside the schema definition for clients, will give it a try. Thanks!


Unfortunately it doesn’t work or I am doing something wrong. After reading the documentation of allowed_cors_origins again it explicitly mentions the token endpoint while I am talking about the authorization endpoint.

My Environment contains

  • CORS_DEBUG=true

which I had hoped to be enough. I now have also explicitly enabled allowed_cors_origins for the client and set it to relying party1 - but still I see

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://auth.redacted/oauth2/auth?response_type=code&client_id=party2_client&state=eb4a35c2d57b232d6b9b5b1911242024&redirect_uri=https%3A%2F%2Fredacted%2Fredirect_uri&nonce=5cff77576fe13fe21588186e649ffafa&scope=openid%20offline. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing

in the Javascript console (and curl or whatever). What you describe seems to be performed by corsMiddleware passed into SetRoute but it is explicitly not used in

Finally my logs show

[cors] 2018/12/07 17:06:54 Handler: Actual request
[cors] 2018/12/07 17:06:54   Actual request no headers added: missing origin
time="2018-12-07T17:06:54Z" level=info msg="started handling request" method=GET remote="" request=/health/alive
time="2018-12-07T17:06:54Z" level=info msg="completed handling request" measure#https://auth.redacted.latency=210398 method=GET remote="" request=/health/alive status=200 text_status=OK took="210.398µs"
time="2018-12-07T17:06:55Z" level=info msg="started handling request" method=GET remote= request=/.well-known/openid-configuration request_id=4a3fc9ae1f4e570ac1c74c243224b8b9
[cors] 2018/12/07 17:06:55 Handler: Actual request
[cors] 2018/12/07 17:06:55   Actual request no headers added: missing origin
time="2018-12-07T17:06:55Z" level=info msg="completed handling request" measure#https://auth.redacted.latency=281999 method=GET remote= request=/.well-known/openid-configuration request_id=4a3fc9ae1f4e570ac1c74c243224b8b9 status=200 text_status=OK took="281.999µs"
time="2018-12-07T17:06:55Z" level=info msg="started handling request" method=GET remote= request="/oauth2/auth?response_type=code&client_id=party2&state=eb4a35c2d57b232d6b9b5b1911242024&redirect_uri=https%3A%2F%2Fredacted%2Fredirect_uri&nonce=5cff77576fe13fe21588186e649ffafa&scope=openid%20offline" request_id=b76b7da655612a5f61e802cb0b936645
time="2018-12-07T17:06:55Z" level=info msg="completed handling request" measure#https://auth.redacted.latency=8590350 method=GET remote= request="/oauth2/auth?response_type=code&client_id=party2&state=eb4a35c2d57b232d6b9b5b1911242024&redirect_uri=https%3A%2F%2Fredacted%2Fredirect_uri&nonce=5cff77576fe13fe21588186e649ffafa&scope=openid%20offline" request_id=b76b7da655612a5f61e802cb0b936645 status=302 text_status=Found took=8.59035ms
[cors] 2018/12/07 17:06:56 Handler: Actual request
[cors] 2018/12/07 17:06:56   Actual request no headers added: missing origin
time="2018-12-07T17:06:56Z" level=info msg="started handling request" method=GET remote="" request=/health/ready
time="2018-12-07T17:06:56Z" level=info msg="completed handling request" measure#https://auth.redacted.latency=251799 method=GET remote="" request=/health/ready status=200 text_status=OK took="251.799µs"

so you can see the cors middleware doesn’t log anything for the /oauth2/auth request while it is active on discovery and health.

Edit: this is 1.0.0rc3


Can you show the client config? Feel free to redact sensitive info



  "client_name":"Backend Client",
  "scope":"openid offline",
  "allowed_cors_origins": ["https://party1"],


Is "allowed_cors_origins": ["https://party1"], the right source URL? Have you tried * here? And feel free to move this over to GitHub as this seems to be a proper issue (and it’s easier to track there)


Yes, it is the proper origin, I will try using * explicitly (deployment takes a bit of time, so please bear with me).

I started here as I wasn’t sure whether it is a big or there was a good reason Hydra behaves the way it does. Will open an issue.


What seems weird is that there is no debug message, this should work. Are you using serve all or two separate commands?


I’m using serve all - using * didn’t change anything, BTW.

For now I’m creating a simple docker based test case and will add it to the issue I’m creating.


Ok, strange - can you open an issue on GitHub (I’m away over the weekend)? Can you also check if you’re seeing two messages CORS Enabled on start up?


Github Issue 1211 (the forum software says I cannot post a link to that host, seem to be some kind of hiccup).

enjoy your weekend and thanks so far :slight_smile:


Oh, and if anybody could explain why my post was flagged as spam “by multiple community members” I’ll be happy to change whatever is needed. Unfortunately I have no idea. In any case I’d like to apologize if I’m violating any rules.


It was? Man, the flagging system is really sh*t here. Constantly bans/mutes people for no reason…


The system flagged it as spam, no real person. I have no idea how to unflag it…


It flagged you because you posted multiple links to GitHub…I increased the post threshold and added github to the whitelist, sorry about that!


Don’t worry.

The message that told me the post was hidden said “Multiple community members flagged this post before it was hidden,” that’s what the phrase in my message stemmed from. I figured it must have been the github links when the system later told me I couldn’t post a link to that host.

At least I now know to avoid using discourse for my own projects :wink: